Login

GLSA-200501-45 : Gallery: XSS vulnerability

Medium Nessus Plugin ID 16436

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200501-45 (Gallery: XSS vulnerability) Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. Impact : By sending a carefully crafted URL, an attacker can inject and execute script code in the victim's browser window, and potentially compromise the user's gallery. Workaround : There is no known workaround at this time.

Solution

All Gallery users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/gallery-1.4.4_p6' Note: Users with the vhosts USE flag set should manually use webapp-config to finalize the update.